After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.

At the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data files, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048 asymmetric algorithm. As we shall see, that statement is not entirely accurate.

Targeting files that users value highly makes ransomware very effective at getting users to pay the ransom. TeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and Steam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace.

We have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their SHA256 are:

3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370

6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4

Both samples implement the following hashing algorithms:

SHA1

SHA256

RIPEMD160

BASE58

BASE64

Infection Vector And Setup Function

This ransomware is usually distributed as an email attachment or through websites that redirect the victim to the Angler Exploit Kit. In our analysis, the exploit kit delivered a malicious Flash object containing an exploit against CVE-2015-0311. The payload for this exploit was a TeslaCrypt sample.

We are only going to give a quick introduction on the dropper’s architecture and the setup function because this functionality has been widely covered.

Most TeslaCrypt samples use COM+ sandbox evasion techniques. For example, the dropper we analysed uses simple detection code that verifies if the “URLReader2” COM interface has been correctly installed in the DirectShow filter graph list:

If the check passes, the real dropper is extracted and executed using a well-known method that makes use of the ZwMap(Unmap)ViewOfSection API functions to unmap the original PE memory image and re-map another image file. The final unpacked executable locates specific Windows directories such as the Application Data directory, and builds support files like the “key.dat” file, and files to store decryption instructions. The executable also adjusts its own privileges (adds “SeDebugPrivilege”) and copies itself using a random file name to the user’s Application Data directory. A new process is then spawned and execution is transferred to it. The original dropper file is deleted. The main malware window is created and five threads are spawned, followed by the window message dispatching cycle.

Open the “key.dat” file and recover encryption keys. If “key.dat” file doesn’t exist, create the keys and store them in an encrypted form in the “key.dat” file.

Send the new master encryption key to the C&C server through POST request (the latest sample that we have analysed contains the following C&C server URLs:

7tno4hib47vlep5o.63ghdye17.com

7tno4hib47vlep5o.79fhdm16.com

7tno4hib47vlep5o.tor2web.blutmagie.de

7tno4hib47vlep5o.tor2web.fi

Implement anti-tampering protection: every 200 milliseconds, TeslaCrypt enumerates all running processes and if a process with a filename that contains any of the words below is found, that process is terminated using the TerminateProcess Windows API function

taskmgr

procexp

regedit

msconfig

cmd.exe

File Encryption - Introduction

After the initialization routine and the deletion of the Volume Shadow copies, the sample creates the “key.dat” file where it stores all the encryption keys. The dropper from March 2015 calculates at least 2 different main keys: a payment key and a master encryption key. The other dropper implements the concept of an additional key known as the “Recovery key’.

“GetAndHashOsData” is the function responsible for creating the base buffer for the generation of all keys. At startup it acquires the following info:

all active process descriptors and the threads descriptors of each process

all loaded modules in each process

the workstation’s physical memory information

Once the data is acquired, it generates a big array of SHA1 values, one for every 20 bytes of acquired data. At the end it calculates and stores a global SHA1 value for the entire array, in a symbol that we have called “g_lpGlobalOsDataSha1”.

With these 2 items, the “FillBuffWithEncryptedOsData” routine is able to fill a generic buffer with the calculated data, in a pseudo-random manner. A master key and a payment key are generated using this function (each key is 32 bytes wide), their SHA256 is calculated and finally a custom algorithm is used to shift left and shift right the 2 keys. The two shifted SHA256 values are stored in the “key.dat” file.

The Key File

The “OpenKeyFileAndWrite” routine tries to open the “key.dat” file, located in the user’s Application Data directory. If it doesn’t exist, it generates the 2 master keys (3 in case of the most recent dropper) as well as other keys, and stores them in the key file.

Here is a little schema of the layout of the “key.dat” file:

* = We currently don’t know precisely how this value is used by TeslaCrypt

The latest version of the dropper creates a “RECOVERY_KEY.TXT” file inside the user’s document directory. It does this to achieve a particular goal: if the victim workstation is offline or if a firewall blocks the communication with the C&C server, the dropper will proceed with the destruction of the master key inside the “key.dat” file, after the encryption of all files has been completed. To recover the files, the user would have to connect to the threat actor’s TOR website and provide the recovery key. The threat actors use a custom algorithm to to recover the master key from the recovery key:

The recovery key file contains 3 pieces of information in an human-readable form, separated by a carriage return character:

The Bitcoin address

The payment key ID (32 hex digits)

The recovery key (64 hex digits)

The File Encryption Algorithm

File encryption is performed in a dedicated thread. The code for the encryption thread takes the shifted master key, calculates its SHA256 hash and starts to enumerate all files of the victim workstation (filtering by extension type, Tesla Crypt supports over 170 different file extensions).

“EncryptFile” is the function that manages the entire file-encryption process. It:

generates a 16-bytes Initialization Vector for AES, using the GetAndHashOsData API function

reads the target file

initializes the AES encryption algorithm through the creation of the AES context data structure

finally encrypts the contents of the file using an AES CBC 256-bit algorithm implemented in the “EncryptWithCbcAes” function.

When the process is complete, the new encrypted file is created. The new file contains a small header (composed of the AES Initialization Vector in its first 16 bytes followed by the original file size in the next 4 bytes), and then the actual encrypted bytes.

The pop up window displays misleading information: the encryption method is a symmetric AES, and not an asymmetric RSA-2048 as stated by TeslaCrypt in the screenshot above. As proof that TeslaCrypt is truly using symmetric AES and not asymmetric RSA, we provide for a decryption utility capable of decrypting all the files encrypted by this ransomware (provided you have the master key).

The Talos TeslaCrypt Decryption Tool

Our decryption utility is a command line utility. It needs the “key.dat” file to properly recover the master key used for file encryption. Before it begins execution, it searches for “key.dat” in its original location (the user’s Application Data directory), or in the current directory. If it isn’t able to find and correctly parse the “key.dat” file, it will return an error and exit.

To use this tool, just copy the “key.dat” file into the tool’s directory and then specify either the encrypted file or a directory containing encrypted files. That’s it! Files should be decrypted and returned to their original content.

ThreatGrid has also added a behavioral indicator to identify TeslaCrypt.

Conclusion

Analysing TeslaCrypt ransomware was a challenge. All the encryption and hashing algorithms in the dropper made the analysis pretty difficult. As we have seen, sometimes the threat actors authors even lie. Nevertheless, ransomware continues to plague users. Incorporating a layered defense is critical to combating this type of threat before it has the chance to encrypt files. A good system backup policy is the best way to recover files that have been hijacked.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

ESA can block malicious emails including phishing and malicious attachments sent by threat actors as part of their campaign.

205 comments:

I had this bloody take over my PC, killed all my music, videos, pdfs and photos etc was well hacked off, fortunataly I had a backup of everything on external hard drive (not plugged in at the time ells that would of been done as well) so only lost a few phone photos, did a fresh re-install of Windows and other software) to be sure it was gone and all was good all be it half a day to install updates to Windows 7 ultimate 64 bit ! A note to others always backup your data if you want to keep it safe, do this on 2 drives and stick 1 round your folks house periodicly rotate them to keep both up to date, just incase of fire or flood etc. I learnt the hard way 10 years back, will never make that mistake again ! its not a question of IF but WHEN !

Hey guysI have been infected by this evil ransomware and was about to pay for decryption when I found your awesome blog. I have tried running the Windows binary .exe but the master key has gone.How confident are you that you will be able to write an algorithm to recover the master key from the recovery key and if so how long will it likely take?Thanks

That is extremely unlikely. The vulnerability here is that the threat actor implemented the encryption algorithm using symmetric keys. If the key is missing this method will not work. I would recommend you restore from backup.

Hi CraigFoolishly I do not have a backup. I had all of my files on a NAS drive which I had mirrored thinking that all I was protecting against was a drive failure or hackers trying to steal information. I have thousands of photos that are very important to me so it looks like I have no choice but to pay the ransom. As soon as I get my files back I shall be backing up to the cloud and an external hard drive.

True but I don't have much choice. I have run McAfee Stinger to remove the Malware. I will reformat my HDD and start again as an additional precaution. So long as I get my files back I will be relieved.

I am not familiar with that product. If it has the concept similar to quarantined files you may want to check there for the keyfile. It is possible it was classified as malware since the malware produced it. Good luck.

Hi,I tried using you tool but on infected machine (windows xp) I recive error TeslaDecrypter is not valid win32 application. Then I copied key.dat file from infected machine on other pc with windows 7 64bit. When I tried run the tool I recive "Warning! The "key.dat" file doesn't include the master key."...Any suggestion for next steps?Thanks,Dushan

If you determine it's impossible to restore the master key from the recovery key alone (e.g. if it's encrypted via ECIES or some other asymmetric cipher), do you intend to update the blog post with the technical details of your findings?

I have the same problem. One of our computers is still on XP and the virus encrypted the local hard drive and the backup which was attached to the computer. The decryption tool states to use the command line option, however whenever you press a key the decryption tool closes. Any help would be GREATLY appreciated.

I just tested newer version I can confirm that work in XP. I can see the report in created TeslaDecrypter TXT file

20:15:37 - ReadKeyFile - Warning! The master key inside the "C:\Documents and Settings\....\Application Data\key.dat" file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.

Many thanks to your great work please keep going to find master key...

Hi , I was hit by this virus on Saturday the 25th of April , I have been able to stabilize my computer and remove the virus ,I tried your decrypter but it says my key.dat wasn't there , I then used a data recovery program and I think I might have found it but because it is also partially encrypted I am not sure . If I send a snapshot of the file I found could you tell me if this is in fact my private key ?,Thanks for any help I would love to regain all my lost files, or even some of them,Julie

How do i solve the below error??? Please i need assistance. I am on XP.

Warning! The "key.dat" file doesn't include the master key.This is a quite common situation because TeslaCrypt has already deleted itto proper mantain its stealth.This version of the decryptor doesn't include the algorithm needed to recoverthe Master key from the Recovery key.Please use a newer version of the tool.

Error! I was not able to recover the TeslaCrypt Master key!Try to use the command line.

Will highly appreciate if we can get the work around for the error we are getting below. Keep up the good work.

ReadKeyFile - Warning! The master key inside the "C:\Documents and Settings\Fahim\Application Data\key.dat" file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.

Hi Talos, thank you very much for this tool. I cannot run it on a Windows 7 Professional SP1 box: every time it crashes after I enter the filename to decrypt. Dependency walker claims I miss some modules: API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL, API-MS-WIN-CORE-WINRT-L1-1-0.DLL and many others. I installed VC++ 2012 and 2013 redist with no luck. How can I fix it?Thank you

Talos, hope we can tackle the issue below soon. Please advise on way forward. Keep up the good work.

ReadKeyFile - Warning! The master key inside the "C:\Documents and Settings\Fahim\Application Data\key.dat" file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.

I have an infection with TeslaCrypt that has dropped .ezz files in stead of .ecc, as far as I can tell your command line tool works, but does not see the .ezz files as needing decryption. Is there a quick fix for that?

Hello Craig, Please assist with "file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool" error. I have a so many files i need to recover.

I came across this on a customers computer but before I found this blog I'd already re-formatted the PC! I have kept all his encrypted personal files, pictures etc. The key.dat file and all other files associated with Teslacrypt are gone though. Is there going to be a tool that can decrypt his files without relying on the key.dat file or recovery_key.txt file??

A customer was hit with a variant of this today with an XP machine. The files affected had the .ezz estension added. I ran a batch conversion and changed the file extensions to .ecc . I then ran the tool (4/28 version) which converted all the files and reported sucess. None of the converted files worked. My log shows that I missed the (key.dat file is stripped down) error message.Please let me know when a updated version is available.

Usually it should take how many days or weeks in order to deal with this ransomware. It definitely a nightmare for a lot of those PC user who their file get encrypted. Everyone is crying for a solution.

Today we have discovered a lot of files with EZZ extension. For a lot of files we have backup, but some not. We have tried the teslacrypt tool, but no success:

Warning! The "key.dat" file doesn't include the master key.This is a quite common situation because TeslaCrypt has already deleted itto proper mantain its stealth.This version of the decryptor doesn't include the algorithm needed to recovethe Master key from the Recovery key.Please use a newer version of the tool.

Error! I was not able to recover the TeslaCrypt Master key!Try to use the command line.

Hi Talos Group, Just got this on a clients XP machine - encrypted files with ezz extension. On a pc and a server.Is there going to be an updated version of your tool to decrypt the the ezz files? Client is literally crying!!

Hello. My institution has also been hit by this. We have downloaded and run this tool. The tool indicated that it completed successfully and the icons for the encrypted files changed back to the appropriate image. However, when we try to access those files, we get errors saying that the files are currupted. Any suggestions on what we need to do differently?

This blog helped me recover almost 20,000 files and save my a$$ from getting canned. I learned a valuable lesson. ALWAYS BACKUP. BTW. I formatted the PC before I read this post and went back and recovered the key.dat file with the demo version of R-Studio.

Malware like this are a good reason to deploy an IPS rather than a typical firewall/router solution, and make the case for specifically why I've used an IPS for several years now. My IPS, aside from doing the job of a normal firewall, also intelligently detects and responds against malware, botnets and attempted breaches of security. But then again, I also don't play many PC games anymore... too busy, mainly, with work. Still, in my line of work, I'm basically on the front lines of cyber warfare, so when I say that an IPS will mitigate crap like TeslaCrypt, listen up because it's good advice. I realize that not everyone understands technology enough to deploy an IPS, but in those cases one can be purchased, or built out by a friend, or something like that. I'm sure there are a few struggling PC repair shops around that would be more than happy to convert a P4 or early Athlon64 into a pfSense IPS/Firewall, and probably for a fairly low fee. If someone supplies the hardware, I'll build one out for $50, because it doesn't take me even a half hour to prep one.

For information only to those who have a .ezz file extention, rather than the .ecc file extention.

If your encrypted files have a .ezz extention, you were probably infected a new variant of TeslaCrypt, dubbed Alpha Crypt.http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/

It would appear, based on the comments above and comments left on that other site, that whilst renaming the .ezz files to .ecc, (and you have the master key!) the Talos Teslacrypt Decryptor tool is fooled into thinking it successfully decrypts your encrypted file ... but it hasn't, at least not correctly. If you try this yourself, I would suggest you keep a copy of the original encrypted file first, to use later should a more successful solution be then found for you.

Thank you for working to counteract these evildoers! I have seen that there are several ransomwares that have now been cracked. As a victim of Cryptowall2, I am hoping that you or others may eventually be able to crack that one as well so those of us who were hit by it can retrieve our files. Thanks for your efforts.

We were hit by this today. As others have stated, we are getting .ezz files instead of .ecc. Changing the file extension does not seem to help in our case (Decrypter sees them and claims 'success', but the files are still corrupt/encrypted).

I have the key.dat and an example of an encrypted file if that will help.

My key.dat exists but only contains the bitcoin address. Has anyone had any luck using data carving software to find the original version of the file? I also see that there is a registry key at HKCU\Software\Windows\CurrentVersion\SET\data. This contains the same recovery key as recovery_key.txt but may have contained the master key at some point. Any luck carving for deleted or modified registry keys? A little bit of a stretch but I'm desperate :)

The variant we have been hit with ends with .ezz. In addition you can't launch a command prompt or task manager. I tried running the tool anyway and it does decrypt the file but the file contents are garbled and unreadable.

Well I am one of those with stripped master key. I found nothing.I digged through deleted files but almost none exist on that drive, and I tried looking past Eof of key.dat but nothing seems to remain there. I am surprised that there are no trails od deleted files, at least as found by various undelete tools.Do anyone know whether I should try looking deeper e.g. by gHex or something else like old DiskEdit, or is it just a dead way and it is gone, overwritten in place by malware design?

I have 2 key.dat files. This probably happened because there are two personal application data files on my PC. The first file was created a few hours after encryption on Thursday April 23rd. It contains the master key. The second was created five days later, but is missing the master key. ( I have 2 recovery text files which match the creation times of both key.dat files.) I ran the decrypter which choose the second key.dat ( without the master key.) Then I found the other key.dat file after doing a simple search for "key.dat". I then ran the decrypter with the first created key.dat key file which returned a success. However, the newly created pics with no ecc extensions have no preview and the new word/excel files created are illegible. Would it be possible to put the master key into the second key.dat file which probably has the correct shifted SHA 256? I have read this site's info a 100 times. I am no techie...just an accountant! Can someone please advise?

Talos Team: have .ecc extensions; have 2 key.dat files(dat file 1 produced after encryption has master key) (dat file 2 produced 5 days with no master key); difference in dat files: bitcoin address change, all characters following bitcoin address changed, empty space where masterfile was, but the very last group of characters 7(maybe 8 characters) have similarities. The first 2 characters are different and the remaining characters are the same. Ran your decryption with dat file 1. Success. Result - JPEGS no preview. Used JPEG repair tools. JPEGS corrupted. Could the difference in the last 7 characters cause the corruption of JPEGS? Can a new dat file be created to correctly decrypt files? Any suggestions from anyone? Thanks...Jean

Talos Team: in reference to comment above May 6/2015 at 11:30am: the JPEGS produced from your decrypter are the exact same byte size as the original unencrypted jpeg file (retrieved from an email). Is this decrypted file truly corrupted? Or is something missing from the master key in dat file 1 that is in dat file 2 which is necessary for your decrypter to produce the image? one JPEG recovery tool returned invalid file...another tool returned severely corrupted file(copies of all original encrypted files are backed up...just don't know how to create a new dat file if this is the issue.) Please let me know. Thanks....Jean

Good evening! I don't have the key, but I have a picture saved on an external ahrd disk and the same one that has been encrypted on my laptop's hard disk, is it possible to obtain the key having these? Thank you!

As information, we had a situation where Business important files where encrypted, but we had no backup of them. We had to go through with the payment to get the decryption key. This works! We payed 2.2Bitcoins (528$) and after 1hour we got the key and a tool to decrypt. So, if backup is not an option, and paying is the last way out, this works.

If you have the decrypting software then you really need to contact the Talos team and get it to them so that they can reverse engineer it. If you don't then my guess is you want people to pay the ransom...

KR: I got the decryption software. If i know how to contact the Talos team to give it to them, I would do this. The decryption requires a decryption key, a verification key and the decrypt software. I would sent it all to them, if I knew how to.

you are at the same point as others. Your master key was deleted and you couldn't do anything. there is no solutions yet. You can only pay 500USD or format PC or find the master key somewhere or Anyone will find the new solution ??

Hi Craig, followed all the intructions provided in thi blog but still no luck. The files im trying to restore is in .EZZ ext, they say the tool only works with .ECC? do you have an update for .EZZ. thanks in advance.

This is by far the worst Malware / Ransomware that I've experienced, and as you lot have stated, it doesn't work with EZZ files. I wish it did, as I have a customer who's lost all her documents / photos and I'm desperate to get them back for her! Fingers crossed the tool can be revised for EZZ files, and the people responsible for creating this malware are identified and brought to justice.

Hello :) Is there a way to get my data back, i need the pictures of my daughter. please help me. i try but it doesn't work with the new version of that type of malware. the files have a .exx extension.

HiI paid 2.2 bitcoins and have received the decryption software from the w*nkers who put the ransom ware on my PC. It has worked and I now have all of my files back. Frustrating as this is, I am delighted as there were 35GB of photos of my kids since they were born.I have now backed up all of my data to an external HDD and am about to backup to an online storage as well.One question - I have run McAfee Stinger, McAfee full version, Malware Bytes all of which now show my PC as clean. Do I need to wipe my hard drive and reload Windows and all of my software or am I safe now that the ransomware virus has been deleted?Thanks

Hi. It would be better to reinstall your Windows and install all your needfull Software after that. You can't trust, that your System is safe, because they can left such tools for catch passwords and so on. Can u send me a download link for the decryption software please? i can pay the half of your btc if it works. thank you

Local company rang me up to take a look at the machine and it had encrypted all the files with the extension .exx not only that it wiped out the shadow copies on the drive.

As mentioned earlier looks like this variant uses a storage.bin file in appdata as the key file and not key.dat, so I have a key file but running the tesladecrypter allows the key to be picked up but I have to rename the files from .exx to .ecc for it to attempt to decrypt the files.

All it does is delete the file and reports in the log that the file is not encrypted or not a TeslaCrypt encrypted file.

MSS found ransom:win32/Tescrypt.A and has quarantined now just need to find a way to decrypt these files if possible.

Alex - without the decryption key and verification key, which is unique for each user, the decryption software is useless. Sorry to be the bearer of bad news but at least if you pay them then you can get you data back.

So I was infected by a ransomware on my android phone. I got it off and ran security apps that were suggested by other big blogs. The only problem that I have is that all of my pictures and music are still encrypted. How do I decrypt them on my phone? any suggestions would be great, you can email me at michaelconner1790@yahoo.com

Has anyone been able to decrypt the ECC with key.dat files that does not include the master key?Can I find in this case the master key in the file storage.bin ?. How should I proceed?Thank you very much.

Hi Katrin - I try to do exact that on a encrypted Windows XP machine. I can run the decryptor and get an "success" - message for the chosen encrypted files, unfortenetely nothing happens, I still can't open the files. Do you experience the same behaviour?

I was able to recover a recovery-key.txt file with third party software and they decrypter says it was successful, but all the files are now encoded incorrectly and they are just symbols. Is there something else I can do?

Has anyone been able to decrypt the ECC with key.dat files that does not include the master key? Can I find in this case the master key in the file storage.bin ?. How should I proceed? Thank you very much.

It's not a valid decrypter, it's the software that is provided to you when you pay the ransom. By no means should you run the exe in hopes to clean your files. It is most certainly unsafe. If you read all of the comments you would see that it was requested by several people. The idea being, in the right hands, it might provide some insight to creating a safe and proper decrypter.

My Company has recently been hit by a deviant of Teslacrypt, the extensions end in .exx, and the Master key was stored in "%Appdata%\Local\storage.bin" I renamed it to Key.dat and was able to pull the key from it using Talos, but it failed to decrypt.

Same as others have noted. My files renamed with .exx extension and no key.dat but storage.bin file along with log.Any help would be appreciated and thank you for your work already with ecc and ezz files.

@Michael: Yes, I'm experience the same behaviour. Before running TeslaDecrypter I have rename the .exx extension to .ecc, but they are still encrypted. I can't pay this criminals, because by doing so I'm only convincing them that they are in the right line of business. And the second reason is, that I don't trust that i get something back for the Bitcoins. @all stop paying these people

I have the same problem, my file endings are .exx.Is it possible to store my encrypted files on a extern harddisc and wait until it can be decrypted or i need some files like key.dat (i couldnt find it). Or are they lost after i cleaned up my windows?

Same problem aswell, I just got a computer of my client and it is infected with .exx... I tried to run with Cisco Talo Tesladecrypt with the key.dat (rename from storage.bin from \%USERNAME%\Appdata\Local\Storage.bin) and i got succes. But the files are still encrypted.

So where are we getting the key from? I have key.dat in the decrypt directory - what else am I missing - I can run the script using the example key in your post - but of course the resulting file is not decrypted - If I don't specify the key, the script runs but without any output

Note: I'm only doing this with the .py version because I cannot run the .exe as I mentioned before

@Brian: indeed! that Decryptor tried 1 billion pwd in 2 hours then gave up, moreover seems to ignore completely the exit.hhr.oshit.I ran the process several times, with or without exit.hhr.oshit , key.dat in %APPDATA%, %TEMP%, %windir%, c:\ and even its folder, but the time, the log and the result is always identical. NO success; I believe that Ricoboss did not experience his decryption with Alphacrypt, but (lucky for him) with a different ransomware.